Verio tries to get Monkeys.com off its back

Antispam activist Ron Guilmette was just trying to make the Net a little less friendly to unsolicited e-mail. But when he added hundreds of Verio Inc. Internet addresses to his Monkeys.com list, he roused the ire of the Web-hosting giant.

Guilmette's list contains the IP addresses of servers that use a flawed version of Formmail, software that thousands of sites use to process Web-based forms. ISPs that use his list can automatically reject e-mail sent from any address on it.

Verio, based in Englewood, Colorado, threatened Guilmette with legal action if he didn't remove the company's IP addresses from his list. The company, a subsidiary of Japan's Nippon Telephone and Telegraph Corp., said Guilmette was hindering its clients' ability to send and receive e-mail, interfering with Verio's business, and defaming its reputation.

Guilmette grudgingly complied with Verio's demand in late June, but antispammers warn that the company's heavy-handed tactics could ultimately come back to haunt it.

Flaw in Formmail

The dispute centers on a flaw in Formmail, which lets sites process Web-based forms such as an e-mail contact page. Spammers can exploit this flaw to send massive amounts of bulk e-mail, obscuring their real identity and location in the process. Guilmette's list contains more than 600 Verio sites he claims use insecure versions of Formmail, though Verio has so far asked him to remove just one of those addresses.

A secure version of Formmail's software can be found online.

Verio admits that spammers have abused its clients' sites to send spam via Formmail in the past, but says it notified customers last May about the flaws and "took measures to disable these scripts from executing on the network," says Dennis Boyle, vice president of operations. "Since taking this action, no subsequent spam attacks have been reported."

However, our survey of some sites on the Verio network indicated the Formmail flaw still existed, even after Verio said it took corrective measures. The company removed the faulty software from these sites after being notified by PC World, but Guilmette says there are likely hundreds more copies of Formmail on Verio servers that could be exploited by spammers in the future.

Fighting for His Rights

The bigger issue for Guilmette is his right to post information on the Net. Guilmette, a one-person operation who receives no money for the use of his list, says he complied with Verio's demand because he can't afford the attorney fees to fight back.

"I think the proper way to handle these disagreements is to present your case in the court of public opinion," says Guilmette. "When big corporations say 'I'm gonna sue you, Mr. Little Guy,' it's clear to me they're doing it because monetary resources allow them to prevail, even if they're not in the right."

Verio says it's simply trying to protect its customers, whose sites have been abused by spammers and now find their e-mail blocked by antispammers. "Verio customers, who were first exploited by the illegitimate acts of spammers, are now being inappropriately penalized by Monkeys.com," says Boyle.

"I don't have the power to penalize anyone," Guilmette says. "I just publish data about servers that have known/proven software security problems of the type commonly exploited by spammers."

Ongoing Efforts

The Verio strategy may backfire, warns Alan Brown, an antispam activist who maintained a blacklist of spam-vulnerable mail servers until it was shut down by legal disputes in June 2001. Brown notes that several other antispammers have vowed to add Verio to their own blacklists.

"If all [Guilmette] is saying is, 'here's a list of IP addresses that run software configured in a particular way,' Verio's defamation claim is probably legally doubtful," says David Sorkin, associate professor at the John Marshall Law School and owner of the site Spamlaws.com.

Verio's demands have had another, unintentional effect on the way Guilmette maintains his list. Guilmette says he's stopped accepting removal requests, because the subjective nature of the removal process leaves him vulnerable to lawsuits. Site owners who've fixed their Formmail problems and want off his list will have to change their IP address, or risk having their e-mail permanently blocked.

"I think everyone acknowledges that blacklists like this do cause a lot of legitimate e-mail to get blocked," adds Sorkin. "That's why they work--they serve as an incentive for companies to secure their services better."

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.